ejs - RCE (CVE-2023-29827)

CVE-2023-29827 is a vulnerability in ejs v3.1.9 allows for server-side template injection if an attacker can control the EJS file and manipulate the closeDelimiter parameter. This flaw could potentially be exploited for remote code execution (RCE), enabling attackers to run arbitrary code on the server. However, the vendor disputes the risk, noting that the render function is not intended for use with untrusted input.

CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2023-29827 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2023-29827 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2023-29827 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by injecting malicious JavaScript code into the settings[view options][closeDelimiter] parameter of the /page endpoint, enabling remote code execution via EJS template injection.